Ever heard of the General Data Protection Regulation? If not, go and read the Wiki. I’ll wait.
I can already hear what you’re thinking. “Grant, this doesn’t apply to me because my company is in the <insert non-EU country here>.” How do I know you’re thinking that? Because every single person with whom I’ve brought this up has had the same response. You might want to go back and re-read it.
There are three terms from the GDPR that you need to know. The first is Data Controller. This is any organization or individual that collects data from the Data Subject. If the Data Controller is located in the EU, then you’re subject to the new regulations. Yes, I know, this means you don’t have to worry. Hang on a second.
The second term is Data Processor. This is any organization or individual that processes data on behalf of the Data Controller. If the Data Processor is located in the EU, then you’re subject to these regulations. Hold on, this is the good bit.
The final term is Data Subject. The Data Subject is any individual that lives in the EU. Now, let’s reassess whether or not the GDPR applies to you. Do you have an email list that might include a subscriber from Italy? You’re subject to the GDPR. Have a customer in Germany? You’re subject to the GDPR. Do you have any personal identifying information for any individual from any country within the EU? Guess what, you are subject to the GDPR.
I know the next thing you’re thinking. “So what. What’s the EU going to do, come after me?”
Depending on who you are, no, of course not. I believe that I can access the subscriber list to this blog (I never have, maybe something I should get on, but bear with me). If there’s anyone from the EU within it, then I’m subject to the GDPR. Now, am I worrying? Well, yes. Not because the paltry number of hits I get are going to make me a good target. No, I’m worried because the penalties are insane and you know, for a fact, that they’re going to be going after people & organizations.
The penalties are easy to understand. 20 million euros or 4% of your turnover. Turnover? Yeah, another word for revenue. Gross revenue. I for one don’t have 20 million euros laying about, let alone the funds to pay for a lawyer to fight these guys in court. Yet, they could come after me and the sad sums I possess (I think I have about 70 pounds in my wallet at the moment, yeah, no US dollars even though I live in the US).
Oh, wait, I forgot one part. 20 million euros or 4% of your revenue, whichever is greater.
Now, do I have the attention of you and your organization? You bet I do. You can either hire a very high priced legal team to go to Brussels (it’s lovely, I wonder what the EU pays, I could do data investigation for them… hmmmm….) to defend your organization in the international courts, or, you need to ensure that you’re compliant with these new regulations.
It’s not like we were running out of work to do. However, a whole new assessment just fell in our laps. My strongest possible suggestion to you is that you ensure your boss and theirs are well aware that this is coming. You should either assess whether or not you’re vulnerable, clean up your systems, or lawyer up. The GDPR is going to be a huge deal in the coming year. Get ready.